Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Oct 23, 2019

How can i use oAuth session variables in APM policy to decide which ACL can be assigned

I am trying to create a policy where i can try and grab the session variable 'session.oauth.client.last.id_token.groups' that the Oauth client agent gets and use that to decide which ACL can be assigned to the user based on the group ID value of that session variable. I am not seeing any options in the assignment tab of the policy parameters that can leverage this session variable information.

APM
application delivery
BIG-IP

5 Replies

Sort By
  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Oct 24, 2019

    Hi

     

    Have you tried adding an expression to the Resource Assign object? So something like

     

    • sricharan61's avatar
      sricharan61
      Icon for Cirrus rankCirrus
      Oct 24, 2019

      Hi Iaine

       

      I tried setting up the configuration like this.

      expr {[mcget {session.oauth.client.last.id_token.groups}] =="xxxxxxx-xxxx-xxxx-x-xx"}

      Static ACLs: /Common/test

      Add/Delete

       

      also

       

      expr {[mcget {session.oauth.client./Common/AzureADB2BOauthprov.id_token.g roups}]== "xxxxxx-xxxx-xxxx-xxx-xxxxxx"}

      Static ACLs: /Common/test

      Add/Delete

       

      as i saw both these entries in the access logs for the groups information in different session variable names.

       

      but i do not see the resource assign parameter logs invoking a match for these expressions to send to ACL in the access logs

       

  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Oct 25, 2019

    Dumb question I know, but is the resource assigning happening after the oauth call?

     

    Have you tried outputing the variables to a message box just prior to the acl assignment to ensure that the variables are present and correct? https://support.f5.com/csp/article/K11123

  • sricharan61's avatar
    sricharan61
    Icon for Cirrus rankCirrus
    Nov 01, 2019

    Hi Iaine

     

    Looks like its working, its just that the logs is are not showing the exact match happening by the condition we are setting. It simply shows what ACL was assigned. I set up a logging message after the oauth client to be able to see that user group match logged in the session logs.

  • Richard_Tocci's avatar
    Richard_Tocci
    Icon for Employee rankEmployee
    Oct 14, 2020

    Turning on debug logging in the APM logging profile would have shown this activity.

     

    General rule of thumb - if you don't see it in the logs, turn on debug and you will.